The grocery chain Wegmans in late June was hit with a $400,000 fine imposed by the New York State Attorney General for allegedly exposing the personal information of some 3 million shoppers. The AG said the company kept information such as addresses and driver’s license numbers in cloud storage containers that were misconfigured for over three years, during which time a bad actor could have easily cracked the login and made out with the data.
Such a fine hardly breaks the bank for a company that has annual revenues of more than $11.2 billion, but it’s a strong warning, and one that other organizations should take to heart. It’s hard enough for security professionals to know and protect one cloud environment, but with organizations running multi-cloud environments, it’s a different ballgame, with higher stakes. Besides citing the misconfiguration, the New York AG also charged that Wegmans didn’t track its cloud assets long-term, which made it harder to investigate security incidents when they were detected.
Attackers are targeting cloud infrastructure more than ever, always on the lookout for weaknesses, and misconfigurations they can exploit. Misconfigured cloud workloads and over permissive policies are often a weak link, so identity and access management (IAM) should serve as the backbone of any multi-cloud security stack. It’s the one discipline that can have the biggest impact on security in the cloud.
Security organizations are challenged by the fragmented nature of control systems across each cloud platform. Every cloud provider has thousands of permissions, and its own proprietary tools and nomenclature for managing them. With a single set of compromised credentials, attackers often gain wide-ranging access to cloud resources because of over-privileged accounts that use default policy settings.
Best practices learned from the Wegmans case
The New York AG ordered Wegmans to establish a number or security measures that serve as a good template for best practices, such as maintaining an inventory of all cloud assets, setting up controls to limit access to information on the cloud and establishing a penetration testing program including at least one annual test of its cloud environment. The AG also ordered Wegmans to establish an information security program with regular updates to keep up with emerging threats and report risks to management.
Here are four best practices that can help defenders raise the bar:
- Rethink the organization’s security approach: Cloud adoption has changed how organizations manage workloads and data. This means they have to rethink security and throw out the mindset from the days when everything was stored on-premises. Many cloud platforms have strong logging systems that security teams can use to improve cloud security posture, misconfiguration, and breach resilience.
- Assign a dedicated cloud security team or individual: Each cloud workload presents itself as a potential attack surface for cybercriminals. Keeping them safe is job No. 1, since this protects hundreds of services, apps and other infrastructure that could become attack surfaces for hackers. Even if the organization can’t afford a separate cloud team, any security team worth its salt needs at least one cloud expert on board. Access and identity management has become a complex job, one that requires understanding each cloud platform’s tools and processes. Security pros should understand the features of every cloud service provider and security service in use, and have read all the documentation for each one.
- Keep the cloud simple: Not all organizations can afford to have fully-staffed security operations centers. Smaller ones, or those working with a limited budget, should consider staying away from multi-cloud deployments. Managing one cloud infrastructure presents a tough enough challenge. Also, build two separate environments for staging and production. This will let the team handle all the access and policy building safely in the staging environment before moving on to production.
- Maintain a tight rein on credentials: Cybercriminals are always evolving, and every year we see more attacks on cloud infrastructure that use new, more advanced tactics. Most attacks usually start with the same tactics, techniques, and procedures (TTPs) such as credential theft and spear phishing. Over-permissive policies will let an adversary move laterally and access administrative controls. Implementing a least privilege permissions model can reduce the blast radius if an account gets compromised.
In its ruling, the New York AG warned that in the 21st century, there’s “no excuse” for companies to have poor cybersecurity systems. The cloud, meanwhile, needs 21st century protection, not traditional perimeter controls used to keep on-premises data centers safe.
Igal Gofman, head of research, Ermetic